Merge "ChangesList: HTML escape the timestamp"

author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>

Thu, 2 Aug 2018 10:22:22 +0000 (10:22 +0000)

committer Gerrit Code Review <gerrit@wikimedia.org>

Thu, 2 Aug 2018 10:22:22 +0000 (10:22 +0000)
author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Thu, 2 Aug 2018 10:22:22 +0000 (10:22 +0000)
committer Gerrit Code Review <gerrit@wikimedia.org>
Thu, 2 Aug 2018 10:22:22 +0000 (10:22 +0000)
diff --git a/includes/changes/ChangesList.php b/includes/changes/ChangesList.php

index eb9febe..fea31b4 100644 (file)
--- a/includes/changes/ChangesList.php
+++ b/includes/changes/ChangesList.php
@@ -531,10 +531,10 @@ class ChangesList extends ContextSource {
         public function getTimestamp( $rc ) {
                 // @todo FIXME: Hard coded ". .". Is there a message for this? Should there be?
                 return $this->message['semicolon-separator'] . '<span class="mw-changeslist-date">' .
-                       $this->getLanguage()->userTime(
+                       htmlspecialchars( $this->getLanguage()->userTime(
                                 $rc->mAttribs['rc_timestamp'],
                                 $this->getUser()
-                       ) . '</span> <span class="mw-changeslist-separator">. .</span> ';
+                       ) ) . '</span> <span class="mw-changeslist-separator">. .</span> ';
         }
  
         /**
author	jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
	Thu, 2 Aug 2018 10:22:22 +0000 (10:22 +0000)
committer	Gerrit Code Review <gerrit@wikimedia.org>
	Thu, 2 Aug 2018 10:22:22 +0000 (10:22 +0000)